fix: assertion check to ensure messages are in the room when editing/deleting, etc

isekai-main
Julian Lam 3 years ago
parent 82768fcf6e
commit d95b4ee29a

@ -277,4 +277,15 @@ Messaging.hasPrivateChat = async (uid, withUid) => {
return roomId; return roomId;
}; };
Messaging.canViewMessage = async (mids, roomId, uid) => {
let single = false;
if (!Array.isArray(mids) && isFinite(mids)) {
mids = [mids];
single = true;
}
const canView = await db.isSortedSetMembers(`uid:${uid}:chat:room:${roomId}:mids`, mids);
return single ? canView.pop() : canView;
};
require('../promisify')(Messaging); require('../promisify')(Messaging);

@ -128,7 +128,11 @@ Assert.room = helpers.try(async (req, res, next) => {
}); });
Assert.message = helpers.try(async (req, res, next) => { Assert.message = helpers.try(async (req, res, next) => {
if (!isFinite(req.params.mid) || !(await messaging.messageExists(req.params.mid))) { if (
!isFinite(req.params.mid) ||
!(await messaging.messageExists(req.params.mid)) ||
!(await messaging.canViewMessage(req.params.mid, req.params.roomId, req.uid))
) {
return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]')); return controllerHelpers.formatApiResponse(400, res, new Error('[[error:invalid-mid]]'));
} }

@ -628,6 +628,12 @@ describe('Messaging Library', () => {
assert.strictEqual(body.status.message, await translator.translate('[[error:cant-edit-chat-message]]')); assert.strictEqual(body.status.message, await translator.translate('[[error:cant-edit-chat-message]]'));
}); });
it('should fail to edit message if message not in room', async () => {
const { statusCode, body } = await callv3API('put', `/chats/${roomId}/messages/1014`, { message: 'message edited' }, 'herp');
assert.strictEqual(statusCode, 400);
assert.strictEqual(body.status.message, await translator.translate('[[error:invalid-mid]]'));
});
it('should edit message', async () => { it('should edit message', async () => {
let { statusCode, body } = await callv3API('put', `/chats/${roomId}/messages/${mid}`, { message: 'message edited' }, 'foo'); let { statusCode, body } = await callv3API('put', `/chats/${roomId}/messages/${mid}`, { message: 'message edited' }, 'foo');
assert.strictEqual(statusCode, 200); assert.strictEqual(statusCode, 200);

Loading…
Cancel
Save